Thanks David. That all make sense now!
--- On Tue, 11/18/08, David Spencer <[EMAIL PROTECTED]> wrote: > From: David Spencer <[EMAIL PROTECTED]> > Subject: Re: cas proxy > To: "Yale CAS mailing list" <[email protected]> > Cc: [EMAIL PROTECTED] > Date: Tuesday, November 18, 2008, 9:53 AM > --On 18 November 2008 06:58 -0800 john wu > <[EMAIL PROTECTED]> wrote: > > > Thanks a lot! > > > > Another question. In this example > > > https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS > > > &service=http://localhost/bling&pgtUrl=https://foo.bar.com/pgtCallback > > > > http://localhost/bling is the back-end service url and > > https://foo.bar.com/pgtCallback is the url of the > service that wishes to > > proxy a client's authentication to a back-end > service > > > > Is it correct? > > > > I think the example you're quoting comes from here: > <http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough> > which is very much a pedestrian walk through of the steps > involved in proxying and doesn't have all the pieces of > the puzzle fully fleshed out. > > I can see using pgtUrl=https://foo.bar.com/pgtCallback > could be confusing as it implies the pgt callback is to a > different server to the one specified in 'service' > (and actually implies it's the same as the CAS server, > which it generally won't be). A more likely URL in a > real-world situation would be: > > https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS&service=https://some.other.host/my_app/bling&pgtUrl=https://some.other.host/my_app/pgtCallback > > https://foo.bar.com/is/cas is where the CAS server is > installed and > https://some.other.host/my_app is where the application > using CAS lives. > > The service URL is about the original user login and where > the user is redirected to post-login. The ticket that gets > generated is tied to that service which is why you need to > supply the service when you validating a ticket. The pgtUrl > is where CAS needs to send the Proxy Granting Ticket. > Ordinarily, those two parameters would point to different > URLs within the same application as the user will be > returned to the service URL with a ticket, the ticket is > exchanged for a username and a pgtIOU and the pgtIOU can be > matched against what was sent to the pgtUrl with the PGT. > > Clear as mud? > Dave > > ---------------------- > David Spencer > Information Systems and Computing > University of Bristol _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
